From 70ec026514a725874e30eb6e0d3bdde5d94d85fc Mon Sep 17 00:00:00 2001 From: tehw0lf Date: Thu, 18 Jun 2026 17:03:19 +0200 Subject: [PATCH 1/2] fix(npm-audit-autofix): skip autofix job when head_ref is empty MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When security-scan-source.yml is called by a repo workflow that does not yet pass head_ref, the input arrives as an empty string. The validate step in npm-audit-autofix.yml then correctly fails – but that makes the whole job fail instead of skipping gracefully. Guard the dependabot-audit-fix job condition with inputs.head_ref != '' so it simply skips when no branch name is available, matching the intent of the existing audit-fix/ guard. --- .github/workflows/security-scan-source.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security-scan-source.yml b/.github/workflows/security-scan-source.yml index c7a119f..c75c2a8 100644 --- a/.github/workflows/security-scan-source.yml +++ b/.github/workflows/security-scan-source.yml @@ -200,6 +200,7 @@ jobs: always() && needs.scan_source.outputs.npm_audit_result == 'failure' && (github.actor == 'dependabot[bot]' || github.event_name == 'schedule') + && inputs.head_ref != '' && !startsWith(inputs.head_ref, 'audit-fix/') uses: ./.github/workflows/npm-audit-autofix.yml with: From 488bc07923b458b491929ae0ca0c93a7514eb2e2 Mon Sep 17 00:00:00 2001 From: tehw0lf Date: Thu, 18 Jun 2026 17:05:35 +0200 Subject: [PATCH 2/2] fix(npm-audit-autofix): remove schedule trigger from autofix condition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The autofix job requires a Dependabot branch as PR target. On schedule events github.head_ref is always empty, so the job would always skip (or previously fail). Restrict the condition to dependabot[bot] actor only – schedule runs report audit findings but cannot open a fix PR. --- .github/workflows/security-scan-source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan-source.yml b/.github/workflows/security-scan-source.yml index c75c2a8..df148b4 100644 --- a/.github/workflows/security-scan-source.yml +++ b/.github/workflows/security-scan-source.yml @@ -199,7 +199,7 @@ jobs: if: | always() && needs.scan_source.outputs.npm_audit_result == 'failure' - && (github.actor == 'dependabot[bot]' || github.event_name == 'schedule') + && github.actor == 'dependabot[bot]' && inputs.head_ref != '' && !startsWith(inputs.head_ref, 'audit-fix/') uses: ./.github/workflows/npm-audit-autofix.yml